TPM-FAIL: Trusted Platform Module - Exploited
grarpamp
grarpamp at gmail.com
Wed Nov 13 16:31:02 PST 2019
http://tpm.fail/tpmfail.pdf
https://github.com/VernamLab/TPM-Fail
TPM meets Timing and Lattice Attacks
Trusted Platform Module (TPM) serves as a root of trust for the
operating system. TPM is supposed to protect our security keys from
malicious adversaries like malware and rootkits.
Most laptop and desktop computers nowadays come with a dedicated TPM
chip, or they use the Intel firmware-based TPM (fTPM) which runs on a
separate microprocessor inside the CPU. Intel CPUs support fTPM since
the Haswell generation (2013). TPM chips are also used in other
computing devices such as cellphones and embedded devices.
We discovered timing leakage on Intel firmware-based TPM (fTPM) as
well as in STMicroelectronics' TPM chip. Both exhibit secret-dependent
execution times during cryptographic signature generation. While the
key should remain safely inside the TPM hardware, we show how this
information allows an attacker to recover 256-bit private keys from
digital signature schemes based on elliptic curves.
A team of academics has disclosed today two vulnerabilities known
collectively as TPM-FAIL that could allow an attacker to retrieve
cryptographic keys stored inside TPMs. The first vulnerability is
CVE-2019-11090 and impacts Intel's Platform Trust Technology (PTT).
Intel PTT is Intel's fTPM software-based TPM solution and is widely
used on servers, desktops, and laptops, being supported on all Intel
CPUs released since 2013, starting with the Haswell generation. The
second is CVE-2019-16863 and impacts the ST33 TPM chip made by
STMicroelectronics. This chip is incredibly popular and is used on a
wide array of devices ranging from networking equipment to cloud
servers, being one of the few chips that received a CommonCriteria
(CC) EAL 4+ classification — which implies it comes with built-in
protection against side-channel attacks like the ones discovered by
the research team. Unlike most TPM attacks, these ones were deemed
practical. A local adversary can recover the ECDSA key from Intel fTPM
in 4-20 minutes depending on the access level. We even show that these
attacks can be performed remotely on fast networks, by recovering the
authentication key of a virtual private network (VPN) server in 5
hours.
More information about the cypherpunks
mailing list